Hackers Cracked Charities’ Addresses and Passwords

Hackers obtained access last month to the e-mail addresses and passwords of thousands of donors to 92 charities that use online database software and services from Convio Inc.

Hackers obtained access last month to the e-mail addresses and passwords of thousands of donors to 92 charities that use online database software and services from Convio Inc.

Among the charities are CARE and the American Museum of Natural History.

There is no evidence that anyone has used the information to engage in fraud, but several charities have notified donors of the breach and advised them to consider changing passwords if they use the same password for other purposes. Convio, of Austin, Tex., which works primarily with charities, discovered the breach on Nov. 1 and told clients about it two days later, said Tad Druart, a spokesman.

About a week later, the company notified an additional 62 nonprofit groups that similar information about their donors might have been compromised, although there was no evidence that it had been downloaded, Mr. Druart said.

He said the problem affected only users of GetActive, a business that was acquired by Convio almost a year ago.

“The investigation is continuing,” Mr. Druart said.

News of the breach was reported as the year-end giving season starts. A growing number of donors use the Internet to make their gifts, and experts said some charities might have been reluctant to inform them about the breach out of fear that it would affect donations.

“This wasn’t the best time for this to happen,” said Beth Kanter, a consultant and blogger. “It’s a matter of donor stewardship, and while it’s not an emergency, you need to treat it as if it was one.”

The breach set off a lively blog discussion about how the affected charities should respond.

Allan Benamer, who writes the Non-Profit Tech Blog, reported on the problem early in the month. By Nov. 14, Mr. Benamer could identify just four organizations that had notified donors, freepress.net, CARE, the Museum of Natural History and Credo Mobile, a for-profit wireless communications business that works to enlist customers’ support for progressive causes.

“This is a disturbing trend and shows that nonprofits don’t understand the nature of security,” Mr. Benamer wrote.

He said charities needed to be more open with donors about security.

Credo and TechSoup, a nonprofit organization that helps charities with technology, posted notices on their Web sites. Other organizations relied on e-mail messages or letters to inform donors and newsletter subscribers.

In an interview, Mr. Benamer said that was not enough.

“Organizations need to put a notice on their Web sites and contact the traditional media,” he said. “As long as people don’t know what’s happening to them, they can’t defend themselves.”

Convio, which is conducting an initial public offering, would not say how many individuals might be affected. But given the size of the organizations, the number may reach into the hundreds of thousands.

The American Red Cross, which uses GetActive to distribute a newsletter about blood services and was in the second group to learn of the problem, said up to 278,000 e-mail addresses had been compromised.

Passwords were also at risk in 1,351 instances, said Stephanie Millian, a spokeswoman for the Red Cross. The organization sent letters to those people on Nov. 14, alerting them to the potential problem and offering advice about addressing it.

“We’re lucky this just involved e-mail addresses and a few passwords and not any personal identification or personal numbers,” Ms. Millian said.

Michael Kieschnick, president of Credo, said it had notified “hundreds of thousands” of customers within hours of being notified on Nov. 3.

“There was never in our minds a question about whether to do it quickly or not,” he said.

Nicole Forsyth, president and chief executive of United Animal Nations, an animal assistance group that was among the first organizations told of the breach, said that more than 7,000 of its 20,000 online newsletter subscribers were affected and that some were angry.